WASHINGTON -- Congress' good intentions may also be good business for the
$2.8 billion shady world of the spyware industry. Pending anti-spyware
legislation may, in fact, end up legitimizing bad actors.

That's the take of Richard Stiennon, vice president of threat research at
anti-spyware firm Webroot. Stiennon, who spoke at the Gartner IT Security Summit here today, thinks Congress should do less, rather than more, when it comes to federal anti-spyware bills.

Last month, the U.S. House of Representatives passed two
anti-spyware measures. One bill (I-SPY Act) imposes tougher criminal
penalties for spyware-related activities.

The other bill (SPY Act) also
increases penalties but includes an opt-in, notice and consent regime for
legal software -- adware -- that collects personally identifiable
information from consumers.

Both bills contain a long list of exemptions, including pre-purchase
installations, cookies and software and network security upgrades.

"I'm leaning toward preferring the increase in penalties for bad acting,"
Stiennon told internetnews.com. "By setting a lot of definitions,
you're going to have some of the perpetrators just modifying their behavior
to comply with this new law and then start legal activities to get index
spyware vendors to stop listing them."

In particular, Stiennon said, adware companies might be able to say, "Hey,
we comply with this new law, the Federal Trade Commission doesn't have a
problem with what we're doing and you shouldn't identify us this way."

Prominent adware firms such as Claria have in recent months mounted public
relations campaigns to distinguish themselves from spyware companies. The
purpose of adware is to drive visitors to advertisers' Web sites. Adware
writers and distributors redirect browsers and generate pop-up adds.

Adware vendors contend they obtain consent before installing their software.
Spyware, on the other hand, distributes pop-up advertising without consent
and often in malicious ways.

With or without a new law, Stiennon vowed to continue to list adware vendors
in Webroot's quarterly rankings of top threats to network security.

"I certainly agree they are adware companies, that's how we identify them,"
Stiennon said. "The one thing we won't stop doing is to identify them as
adware companies as long as they serve ads and support free software with
ads."

He also scoffed at adware firms' claims of notice and consent, saying, "If
they truly gave end users full disclosure, they wouldn't have any
customers."

Adware consent, he said, should read: "This product is going to pop up a
million ads in your face and it's going to significantly reduce the
performance of your computer and increase boot times by 30 seconds."

Stiennon also shrugged off the idea of adware lawsuits against Webroot
seeking to be de-listed as a threat.

"Sadly, in this country anybody can sue anyone for anything," he said. "I
don't think anybody could win one of those cases because you will not find
12 U.S. citizens who feel sorry for adware vendors."

Ultimately, Stiennon said, federal anti-spyware legislation will be as
effective as the CAN-SPAM Act, Congress' effort to curb unwanted and
unsolicited e-mail.

"Legislation isn't going to make it go away. Maybe it will push it
offshore," he said. "The CAN-SPAM Act has done some good, but there's more
spam now than when CAN-SPAM passed. It's made it more expensive for
legitimate companies to engage in spam, and this will be the exact same with
spyware."